Windows BITS Service Used to Reinfect Computers with Malware

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.Initial malware infection took place back in March 2016In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware calledZlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.BITS tasks could be used in much more dangerous waysIn this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.

To read more and the original story follow this link to Softpedia. 

90 Percent of All SSL VPN Use Insecure or Outdated Encryption

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

Android adware can install itself even when users explicitly reject it

A while back, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

“Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

For a video demonstration and the original story follow this link to Ars Technica.

As previously reported, Shedun is one of several families of adware that can’t easily be uninstalled. That’s because the apps root the device and then embed themselves into the system partition to ensure they persist even after factory reset. Lookout refers to them as “trojanized adware” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

The ability to use social engineering to hijack the Android Accessibility Service is yet another sign of the creativity and ingenuity put into this new breed of apps. As always, readers are reminded to carefully weigh the risks and benefits of using third-party app markets. They should also remain highly suspicious of any app that asks for control of the Android Accessibility Service.

Offline attack shows Wi-Fi routers still vulnerable

An attack can break into some common Wi-Fi routers, via a configuration feature.

A researcher has refined an attack on wireless routers with poorly implemented versions of the Wi-Fi Protected Setup that allows someone to quickly gain access to a router’s network.

The attack exploits weak randomization, or the lack of randomization, in a key used to authenticate hardware PINs on some implementations of Wi-Fi Protected Setup, allowing anyone to quickly collect enough information to guess the PIN using offline calculations. By calculating the correct PIN, rather than attempting to brute-force guess the numerical password, the new attack circumvents defenses instituted by companies.

While previous attacks require up to 11,000 guesses—a relatively small number—and approximately four hours to find the correct PIN to access the router’s WPS functionality, the new attack only requires a single guess and a series of offline calculations, according to Dominique Bongard, reverse engineer and founder of 0xcite, a Swiss security firm.

“It takes one second,” he said. “It’s nothing. Bang. Done.”

The problem affects the implementations provided by two chipset manufacturers, Broadcom and a second vendor whom Bongard asked not to be named until they have had a chance to remediate the problem. Broadcom did not provide a comment to Ars.

Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom’s reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness.

The Wi-Fi Alliance could not confirm whether the products impacted by the attack were certified, according to spokeswoman Carol Carrubba.

“A vendor implementation that improperly generates random numbers is more susceptible to attack, and it appears as though this is the case with at least two devices,” she said in a statement. “It is likely that the issue lies in the specific vendor implementations rather than the technology itself. As the published research does not identify specific products, we do not know whether any Wi-Fi certified devices are affected, and we are unable to confirm the findings.”

The research, originally demonstrated at the PasswordsCon Las Vegas 2014 conference in early August, builds on previous work published by Stefan Viehböck in late 2011. Viehböck found a number of design flaws in Wi-Fi Protected Setup, but most significantly, he found that the PIN needed to complete the setup of a wireless router could be broken into smaller parts and each part attacked separately. By breaking down the key, the number of attempts an attacker would have to try before finding the key shrunk from an untenable 100 million down to a paltry 11,000—a significant flaw for any access-control technology.

Viehböck was not the only researcher to notice the flaws in the technology. Independently, Craig Heffner of Tactical Network Solutions discovered the issue and created a tool, Reaver, to use brute-force guessing of all 11,000 combinations to find the PIN. Ars Technica used the tool to confirm the original issue.

Bongard’s updated attack exploits the lack of randomization in the nonce, a number used to create the pseudo-random inputs to calculate the keys.

For more information follow the source link below.

Source: Ars Technica

iOS Mobile Banking Apps Vulnerable to Man in the Middle Attacks

It’s mighty convenient to load up a mobile banking app with a slick interface as opposed to logging into the website via your smartphone’s web browser, but in doing so, you may inadvertently be putting yourself at a greater risk of so-called mail-in-the-middle attacks, hijack attempts, and other unfriendly behavior. A recent study suggests that mobile banking apps for iOS may be less secure than you think.

A researcher at IOActive tested 40 mobile apps from 60 of the leading banks from around the world. His various tests covered transport security, compiler protection, UIWebViews, insecure data storage, logging, and binary analysis. What he found is pretty alarming.

Some 40 percent of the audited apps did not validate the authenticity of SSL certificates presented, which makes them susceptible to man-in-the-middle attacks. Almost all of them — around 90 percent — contained several non-SSL links throughout the application. According to IOActive, this allows an attacker to intercept the traffic and inject arbitrary JavaScript and HTLM code in an attempt to create a fake login prompt or some other similar scam.

The list of vulnerabilities goes on, such as half of the apps being found susceptible to JavaScript injections via insecure UIWebView implementations.

“Home banking apps that have been adapted for mobile devices, such as smartphones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions,” the report concludes.

Source: Hot Hardware

Study finds most mobile apps put your security and privacy at risk

A report from HP claims apps lack security defenses, fail to encrypt data, and compromise personal information.

The average smartphone user has 26 apps installed. If recent research conducted by HP is any indication, approximately, well, all of them, come with privacy or security concerns of some sort.

The HP study focused purely on custom business apps, but there’s no reason to believe the issue doesn’t extend to commercial apps you find in the Apple App Store or Google Play. Many apps have access to data or permission to perform functions they shouldn’t.

If you want to play a game like Angry Birds, there’s no reason that it needs to have access to your contacts, and A a weather app probably doesn’t need to be able to send email on your behalf. The security risks in apps go beyond permissions, though. There are issues in how the apps integrate with core functions of the mobile operating system, as well as how they interact with and share information with one another.

In the HP study, 97 percent of the apps contained some sort of privacy issue. HP also found that 86 percent of the apps lack basic security defenses, and 75 percent fail to properly encrypt data. Assuming similar percentages across the hundreds of thousands of consumer apps in the app stores, it’s likely that you have a few security or privacy concerns floating around your smartphone or tablet.

But this isn’t about malicious apps designed to steal your data. It’s mostly a function of lazy coding. Developers write apps that access everything because it’s easier than writing more specific code, and it also paves the way for any future enhancements that might actually need it.

In a BYOD scenario these security and privacy risks are exaggerated for both the employer and the employee. In most cases, the line between business and personal is not clearly defined, and apps can easily blur that line and put both company and personal data at risk. The problem is exacerbated by the fact that apps are impulse purchases for many users, thanks to low prices and easy installation.

The mobile operating systems have improved in terms notifying users about the permissions an app is requesting and providing the user with more control to allow or block access to specific functions. But the system still puts too much burden on the user, both to know those controls exist and how to use them, as well as to understand the implications and security concerns of the apps.

The better solution is for developers to build security and privacy into the apps from square one. Developers should be aware of the potential implications of how their apps access data and interact with other apps, and design them to be secure by default.

Via: Network World

Millions At Risk As WordPress Plugins Ridden With Critical Vulnerabilities

A host of WordPress plugins contain serious flaws, including many e-commerce add-ons dealing with online payments, researchers have warned.

The vulnerable WordPress plugins detected by Tel-Aviv-based security firm Checkmarx were downloaded millions of times. The researchers warned the flaws could allow hackers to use the WordPress platform, the most popular CMS in the world, as a vehicle for mass infection and malware distribution.

As the plugins are open source, as the WordPress platform itself is, Checkmarx was able to scan code of the top 50 most downloaded plugins on two occasions, once in January, then in early June.

The first test uncovered 18 vulnerable plugins, which were downloaded 18.5 million times. Some of those were produced by WordPress itself, which has now issued fixes, Checkmarx said.

All 18 had been updated by the time Checkmarx did its second test, but just six of the plugins were properly fixed by that time.

In its June test, the firm also found over 20 percent of the most 50 popular add-ons could be exploited by a number of common attacks, such as SQL injection and cross-site scripting. Any sites running these vulnerable plugins are therefore vulnerable too.

SQLi sees attackers attempt to get databases to cough up false information, usually by entering queries into search boxes or in a URL to cause the related SQL database to falter. Automated tools make this kind of hit much easier to carry out.

“If the plugin is vulnerable, say to SQLi, so is the website vulnerable to that type of attack,” Maty Siman, Checkmarx CTO, told TechWeekEurope. “A hacker looking to perform a SQLi attack can simply take any one of the existing automated attack tools, point it to the vulnerable site and attempt to exploit it.”

The researchers also discovered seven out of top 10 most popular e-commerce plugins contained flaws. They were downloaded 1.7 million times.

Checkmarx did not reveal which plugins were vulnerable, but said they included social ones linking to Facebook and certain APIs.

The researchers said whilst it was clear there were some serious security problems with WordPress plugins, other platform providers suffer similar problems.

“The impact? Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details,” the company’s report read.

“Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.”

Source: Tech Week Europe